3 files changed, 21 insertions, 11 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index f108d72..53638fe 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -144,6 +144,10 @@ func (m *ACMEIssuer) SetConfig(cfg *certmagic.Config) {
 	m.magic = cfg
 }
 
+// TODO: I kind of hate how each call to these methods needs to
+// make a new ACME manager to fill in defaults before using; can
+// we find the right place to do that just once and then re-use?
+
 // PreCheck implements the certmagic.PreChecker interface.
 func (m *ACMEIssuer) PreCheck(names []string, interactive bool) error {
 	return certmagic.NewACMEManager(m.magic, m.template).PreCheck(names, interactive)
@@ -156,7 +160,7 @@ func (m *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*
 
 // IssuerKey returns the unique issuer key for the configured CA endpoint.
 func (m *ACMEIssuer) IssuerKey() string {
-	return m.template.IssuerKey() // does not need storage and cache
+	return certmagic.NewACMEManager(m.magic, m.template).IssuerKey()
 }
 
 // Revoke revokes the given certificate.
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 5b830f9..7618db4 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -55,6 +55,11 @@ func (cp ConnectionPolicies) Provision(ctx caddy.Context) error {
 			cp[i].certSelector = val.(certmagic.CertificateSelector)
 		}
 
+		// enable HTTP/2 by default
+		if len(pol.ALPN) == 0 {
+			pol.ALPN = append(pol.ALPN, defaultALPN...)
+		}
+
 		// pre-build standard TLS config so we don't have to at handshake-time
 		err = pol.buildStandardTLSConfig(ctx)
 		if err != nil {
@@ -452,3 +457,5 @@ func (a *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error {
 type ConnectionMatcher interface {
 	Match(*tls.ClientHelloInfo) bool
 }
+
+var defaultALPN = []string{"h2", "http/1.1"}
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index f91229f..0b39c71 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -181,7 +181,6 @@ func (t *TLS) Validate() error {
 		// ensure that host aren't repeated; since only the first
 		// automation policy is used, repeating a host in the lists
 		// isn't useful and is probably a mistake
-		// TODO: test this
 		hostSet := make(map[string]int)
 		for i, ap := range t.Automation.Policies {
 			for _, h := range ap.Hosts {
@@ -279,8 +278,8 @@ func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool {
 	if ap.magic.Issuer == nil {
 		return false
 	}
-	if am, ok := ap.magic.Issuer.(*certmagic.ACMEManager); ok {
-		return am.HandleHTTPChallenge(w, r)
+	if am, ok := ap.magic.Issuer.(*ACMEIssuer); ok {
+		return certmagic.NewACMEManager(am.magic, am.template).HandleHTTPChallenge(w, r)
 	}
 	return false
 }
@@ -709,7 +708,7 @@ const automateKey = "automate"
 // (beta 16 changed the storage path for certificates),
 // after which this function can be deleted
 func (t *TLS) moveCertificates() error {
-	log := t.logger.Named("automigrate")
+	logger := t.logger.Named("automigrate")
 
 	baseDir := caddy.AppDataDir()
 
@@ -760,7 +759,7 @@ func (t *TLS) moveCertificates() error {
 		}
 
 		if len(oldAcmeSites) > 0 {
-			log.Warn("certificate storage path has changed; attempting one-time auto-migration",
+			logger.Warn("certificate storage path has changed; attempting one-time auto-migration",
 				zap.String("old_folder", oldAcmeSitesDir),
 				zap.String("new_folder", newBaseDir),
 				zap.String("details", "https://github.com/caddyserver/caddy/issues/2955"))
@@ -775,13 +774,13 @@ func (t *TLS) moveCertificates() error {
 			// move the folder
 			oldPath := filepath.Join(oldAcmeSitesDir, siteInfo.Name())
 			newPath := filepath.Join(newBaseDir, siteInfo.Name())
-			log.Info("moving certificate assets",
+			logger.Info("moving certificate assets",
 				zap.String("ca", oldCA),
 				zap.String("site", siteInfo.Name()),
 				zap.String("destination", newPath))
 			err = os.Rename(oldPath, newPath)
 			if err != nil {
-				log.Error("failed moving site to new path; skipping",
+				logger.Error("failed moving site to new path; skipping",
 					zap.String("old_path", oldPath),
 					zap.String("new_path", newPath),
 					zap.Error(err))
@@ -792,7 +791,7 @@ func (t *TLS) moveCertificates() error {
 			metaFilePath := filepath.Join(newPath, siteInfo.Name()+".json")
 			metaContents, err := ioutil.ReadFile(metaFilePath)
 			if err != nil {
-				log.Error("could not read metadata file",
+				logger.Error("could not read metadata file",
 					zap.String("filename", metaFilePath),
 					zap.Error(err))
 				continue
@@ -806,12 +805,12 @@ func (t *TLS) moveCertificates() error {
 			}
 			newMeta, err := json.MarshalIndent(cr, "", "\t")
 			if err != nil {
-				log.Error("encoding new metadata file", zap.Error(err))
+				logger.Error("encoding new metadata file", zap.Error(err))
 				continue
 			}
 			err = ioutil.WriteFile(metaFilePath, newMeta, 0600)
 			if err != nil {
-				log.Error("writing new metadata file", zap.Error(err))
+				logger.Error("writing new metadata file", zap.Error(err))
 				continue
 			}
 		}